High Court: Injuries Resolution Board authorisation required for certain Data Breach claims

Cyber Attack

25 July 2024

In Dillon v Irish Life Assurance plc [2024] IEHC 203, the High Court has held that proceedings brought by a plaintiff seeking damages for inter alia distress, upset and anxiety arising from an alleged data breach required prior authorisation from the Personal Injuries Resolution Board (’PIRB’) (now known as the Injuries Resolution Board).

Background

The plaintiff, who was the owner of a life assurance policy with the defendant, issued proceedings after the defendant had allegedly sent letters containing the plaintiff’s personal data to an unauthorised third party.

The plaintiff claimed that on account of the defendant’s negligence and breach of duty, including statutory duty, he had suffered “distress, upset, anxiety, inconvenience, loss and damage”. The Circuit Court dismissed the proceedings on the basis prior authorisation had not been obtained from PIAB, as required by the Personal Injuries Assessment Board Act 2003 (‘2003 Act’). The plaintiff appealed this decision to the High Court, arguing that it was not a personal injuries claim but instead a claim for non-material damages pursuant to the GDPR (as implemented in Ireland by the Data Protection Act 2018 (‘2018 Act’)).

A ‘Civil Action’ within the Meaning of the 2003 Act?

The High Court identified the key issue it had to consider as being whether the plaintiff’s case fell within the definition of a “civil action” for the purposes of the 2003 Act. If it did, prior authorisation from PIAB would be required.

Section 4(1) of the 2003 Act provides that a “civil action” is an action in respect of a wrong, that is pursued for the purpose of recovering damages and the damages are for personal injuries.

What constitutes a “wrong” is itself defined in the Civil Liability Act 1961 and the court noted earlier authorities, such as the Supreme Court decision in Clarke v O’Gorman [2014] IESC 72, which described it as having the “broadest application”.

The High Court then had to consider if the damages sought by the plaintiff for “distress, upset, anxiety, inconvenience, loss and damage” fell within the definition of personal injury in the 2003 Act, namely any disease or impairment of a person’s physical or mental condition.

The court held that “inconvenience, loss and damage” could not be treated as a description of a personal injury but on the other hand, “anxiety and distress” could, in some cases, amount to an impairment of a person’s mental condition. The Personal Injuries Guidelines limit recovery of damages for non-physical injuries to cases of recognisable psychiatric illness or injury, while upset, distress, grief, disappointment and humiliation do not attract compensation. However, the court held that the fact the claimed impairment did not warrant an award of damages did not take the claim outside of the definition of what constitutes a personal injury in the legislation.

The High Court, therefore, held that the plaintiff’s claim did amount to a “civil action” for the purposes of the 2003 Act.

Remedy under the GDPR 

The plaintiff had argued that his claim was one for non-material damage as allowed for under the GDPR (as implemented in Ireland by section 117 of the 2018 Act (‘s.117’)) and not a personal injuries claim. However, the court noted that while there was a claim for breach of statutory duty, which could be treated as a claim pursuant to s. 117, there were also general pleas of negligence and breach of duty.

In any event, the High Court held that it does not automatically follow that if a claim is found to be for damages under s. 117, PIAB authorisation will not be required. S. 117 allows for compensation for damage suffered on account of an infringement of the data protection legislation and if the injured party seeks a remedy under the section which amounts to damages for personal injuries in respect of a wrong, authorisation under the 2003 Act will still be required. 

Keane v Central Statistics Office 

The High Court noted that this case differed in a number of respects from the earlier Keane v Central Statistics Office [2024] IEHC 20 (‘Keane’), in respect of which the cause of action predated the GDPR and so did not include a claim for compensation pursuant to s. 117.

In the Keane judgment, the High Court held that the plaintiff was required to make an application to PIAB for assessment in respect of a claim arising from an alleged data breach in which damages were sought for stress and anxiety, which were claimed to have impacted sleep and appetite and exacerbated symptoms of psoriatic arthritis. 

In Dillon, there was far less emphasis on medical consequences resulting from the breaches, with the plaintiff arguing that “stress and anxiety” were descriptors of his emotional reaction to the breach and their ordinary language meaning was not a description of an “impairment” of his “mental condition”.

However, despite this lack of focus on medical factors and the fact the plaintiff’s action did include a claim that could be treated as one pursuant to s. 117, the court came to the conclusion that, like Keane, the claim fell within the definition of a “civil action” for the purposes of the 2003 Act. 

Conclusion

The Dillon judgment highlights the relatively broad ambit of claims that can be classified as a “civil wrong”, as defined and how, therefore, a case may inadvertently come within the remit of the 2003 Act. Claims for compensation under the provisions of the GDPR/s.117 will not necessarily fall outside the 2003 Act and parties to a data breach claim will need to carefully consider the requirement for Injuries Resolution Board authorisation.

Follow us for the latest updates & news

Recent News

Autistic cinema manager wins €12k over discrimination in roster row

An autistic cinema manager who quit when his employer was unable to guarantee him two days off in a row following a months-long dispute over rostering arrangements has secured €12,000 in compensation for disability discrimination. The complainant's wife gave evidence...

Northern Ireland exam board boss wins £100,000 settlement

Northern Ireland’s Council for the Curriculum, Examinations and Assessment (CCEA) has paid a substantial settlement to its former interim chief executive who complained of sex, race and age discrimination and constructive dismissal. The sum paid to Margaret Farragher,...

Recent Articles

Psychological Injury

Nervous Shock I The law allows recovery of damages for so called nervous shock, within certain parameters and subject to limitations.  Nervous shock is the most commonly used legal label for psychiatric or psychological injury. Psychiatric injuries include...

Public Authorities and Negligence

Powers and Duties In broad terms, public authorities are subject to civil liability for negligence and other civil wrongs, in the same way as private individuals and companies.  The State and other public bodies are responsible for the actions and omissions of...

Duty of Care (Part 2)

Limits to Neighbour Principle The famous neighbour principle re-stated the general basis of liability in negligence. It stated, that “you must take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your...

Duty of Care (Part 1)

Meaning of Negligence I Negligence is used in a number of senses.  In one sense, it refers to a person’s state of mind.  An act is negligent, where it is done without giving due weight to the risks involved.  A person  (and his state of mind) may...

Join our Panel

You May Also Like...